Enable Kerberos by default for OpenSSH #34348
Conversation
The git history provides the same information via `git blame`, so remove the unnecessary comments.
|
I still need to run the NixOS tests and such, but wanted to post this for discussion. |
This can be disabled with the `withKerberos` flag if desired. Make the relevant assertions lazy, so that if an overlay is used to set kerberos to null, a later override can explicitly set `withKerberos` to false. Don't build with GSSAPI by default; the patchset is large and a bit hairy, and it is reasonable to follow upstream who has not merged it in not enabling it by default.
aneeshusa
force-pushed
the
enable-kerberos-by-default-for-openssh
branch
from
dab3585
to
1da0787
Compare
|
-1 for the first commit, +2 for the second commit (PR topic). |
|
@GrahamcOfBorg test openssh |
There was a problem hiding this comment.
Failure on x86_64-linux (full log)
Partial log (click to expand)
while evaluating the attribute ‘condition’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:467:14:
while evaluating the attribute ‘condition’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:467:14:
while evaluating the attribute ‘powerManagement.cpuFreqGovernor’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/attrsets.nix:199:44:
while evaluating anonymous function at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:75:45, called from /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/attrsets.nix:199:52:
while evaluating the attribute ‘value’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:312:9:
while evaluating the option `powerManagement.cpuFreqGovernor':
while evaluating the attribute ‘mergedValue’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:339:5:
while evaluating anonymous function at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:339:32, called from /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:339:19:
while evaluating ‘merge’ at /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/types.nix:319:20, called from /home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/lib/modules.nix:342:8:
The option `powerManagement.cpuFreqGovernor` is defined both null and not null, in `/home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/nixos/modules/tasks/cpu-freq.nix' and `/home/borg/borg-rs/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/7c6f434c-buildbox/nixos/modules/config/power-management.nix'.
|
re that test failure I left this comment on the PR I suspect is responsible: #34350 (comment) |
|
@GrahamcOfBorg test openssh |
There was a problem hiding this comment.
Success on x86_64-linux (full log)
Partial log (click to expand)
server: exit status 0
2 out of 2 tests succeeded
test script finished in 18.78s
cleaning up
killing server_lazy (pid 593)
killing client (pid 604)
killing server (pid 614)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/tmp/nix-build-vm-test-run-openssh.drv-0/vde1.ctl': Directory not empty
/nix/store/77agy3j3wl4a70jyk27wnmdkkjivmz4j-vm-test-run-openssh
|
@GrahamcOfBorg test initrd-network-ssh |
There was a problem hiding this comment.
Success on x86_64-linux (full log)
Partial log (click to expand)
client# [ 9.711402] reboot: Power down
vde_switch: EOF data port: Interrupted system call
collecting coverage data
syncing
test script finished in 11.03s
cleaning up
killing server (pid 604)
vde_switch: EOF on stdin, cleaning up and exiting
vde_switch: Could not remove ctl dir '/tmp/nix-build-vm-test-run-initrd-network-ssh.drv-0/vde1.ctl': Directory not empty
/nix/store/xjmnn5yrxcsgmwgvxdml9hdidhvqrdcy-vm-test-run-initrd-network-ssh
|
@aneeshusa can you remove the first commit? Then I think this is good to merge. |
|
Ehh I'll just pick it :) |
|
I'd like to run the NixOS tests, test the hpn build, etc. before merging. |
|
Applied the second commit in a232dd6, thanks! |
|
Erm... sorry @aneeshusa, so I ran the initrd ssh test and the openssh test prior to merging (see: #34348 (review), #34348 (review)) but what about hpn? |
|
No worries @grahamc. The two other things I wanted to check were that the top-level I think this could also merit a line or two in the release notes. |
|
Sounds good, @aneeshusa. Thanks for testing. Can you submit a patch for the release notes? |
Motivation for this change
@grantwwu recently made a mailing list post about making using OpenSSH with Kerberos easier. As one of the openssh maintainers, I think the easiest thing to do here is to enable Kerberos by default.
Things done
build-use-sandboxinnix.confon non-NixOS)nix-shell -p nox --run "nox-review wip"./result/bin/)